Exim's Mail Vulnerability: A Tale of Swift Action and Unaffected SiteGround Clients
Picture this: a lively party, a toddler’s bedtime routine, a road trip – this is what three of our security engineers were in the middle of on that particular Saturday, September 30th. Suddenly, their phones beep at the same time in unison, even though far apart, cutting through the noise of the party, the hush of the nursery, the hum of the highway, respectively. It’s a report of a critical security issue with Exim, the mail server used by 56% of all mail servers on the internet, including SiteGround’s. Despite their different settings, all three of our security engineers cut their plans immediately, summoned for a response – a testament to our unwavering commitment to security.
What’s Exim and Why Should We Care?
Exim is like the mailman of the digital world, responsible for delivering your emails from one point to another. An issue with Exim could potentially mean serious trouble for your emails, and not only. To give you an idea of the scale, Exim is the most popular mail server in the world, used by more than 342,000 mail servers. That’s over 56% of all mail servers on the internet. Naturally, it’s the mail server software we at SiteGround rely on entirely for the delivery of outgoing messages and incoming mail for all our customers.
Given that email services are a crucial part of our hosting offering, used by the majority of our clients, we’re consistently working on maintaining our email security, deliverability, and reliability. It all starts with a heavy customization process, which is our usual approach to all software we use to make sure it meets our client’s needs better, while it gives us more control to keep it extra secure and always up to date.
The Exim Issue and SiteGround’s proactive response
The problem, tagged as CVE-2023-42115, was in fact a combination of six different zero-day exploits against Exim. A zero-day exploit means all servers using this particular configuration are immediately at risk. We got the report as soon as it was issued and immediately dived into all six issues to assess the risk for our clients.
The good news was, since we heavily customize all software on our servers, these particular parts of Exim that were affected, are not even used on our servers. However, our work did not stop there. Here is a breakdown of all issues, why SiteGround clients were safe, and what we did to ensure this remains so.
Three of the reported Exim exploits related to different types of email authentication, namely SPA/NTLM and EXTERNAL auth. Simply put, they deal with proving the Mail Server who you are and then allowing you to send emails. The new vulnerability meant that an attacker could craft a special request, use the security holes in the authentication mechanisms and gain access to the server which runs Exim. Even more than that, the attacker could gain full access to the server – not only Exim as a mail server but all data residing on the server. On SiteGround servers, however, we don’t use any of these authentication methods, so SiteGround clients were not affected.
The fourth exploit was related to a proxy problem, and was very similar in nature, and the fifth issue resided in a library called “libspf2”, used for certain checks related to email SPF records. Since we don’t use proxies in front of our Exim mail servers at SiteGround, nor do we use the problematic library, we were not affected by this vector of the attack, either.
The last problem was related to how people perform DNS lookups. Many people just use third party DNS resolvers and they cannot be sure if the DNS resolvers validate the data they receive. SiteGround uses our own DNS resolvers and we validate the data we receive. So this did not affect us as well.
All in all, we were lucky for most of the vectors of the attack but it took us a substantial amount of time to double and triple-check every one of those bullet points. And, of course, we went beyond that.
Usually, there are two ways to go about a vulnerability: you assess if and how it affects you, and if it does not, you can simply waive it off and sit this one out. The smarter way to go about it, though, is to think ahead, and even if a particular vulnerability, or a number of those, do not directly affect you, to still be proactive about installing the patches just to be safe in case it develops and opens the doors to more exploits that could potentially turn out to affect you at a later stage.
So this is exactly what we did – despite not being directly at risk by any of the vectors of this particular attack, our security engineers didn’t just sit back. In addition to meticulously checking and testing all exploits to make sure they do not affect SiteGround servers, as soon as a new, safer version of Exim was released (version 4.96.1), we immediately upgraded all our Exim mail servers. It’s our way of ensuring your peace of mind, and a testament to our proactive approach to security.
We hope this post helps you understand our approach to security through the lens of a real-life and most recent serious issue with a software used by half of the servers on the internet. Rest assured, at SiteGround, we’re always ready to leap into action for any potential issues that could affect your data. We’re committed to keeping your data safe and your mind at ease. If you have any questions or concerns, we’re here for you. Thanks for sticking with us, and here’s to staying safe and secure with SiteGround.